Sign up or log in to save this to your schedule and see who's attending!

PHP remains the most popular server-side language on the Web and thefavored language for Web attacks. Although developers become more awareof traditional vulnerabilities types, such as XSS and SQLi, these flawsstill persist due to faulty security mechanisms or intricate languagefeatures. Besides, more complex vulnerability types, such assecond-order vulnerabilities or PHP object injections, are comparativelyunknown and actively exploited by attackers.

The manual detection of such complex vulnerabilities in modern PHPapplications with hundreds of thousands lines of code is time-consumingand expensive. With the help of static code analysis, securityvulnerabilities can be detected in an automated fashion and subsequentlyremediated. However, previous research in this area focused only on theshallow detection of traditional vulnerability types and dismissed morecomplex occurrences or types of vulnerabilities.

This talk shows how to detect complex vulnerabilities automatically withstate-of-the-art code analysis techniques. The techniques are able toprecisely detect traditional security vulnerabilities in various markupcontexts, as well as second-order vulnerabilities and gadget chains forPHP object injections. Further, open challenges and lessons learnedduring the development and evaluation of the techniques are outlined.

Dr. Johannes Dahse recently finished his Ph.D. in IT security at the Ruhr-University Bochum, Germany. In the past four years, he explored new static code analysis techniques in order to assist his work as a security consultant. Since then, he is co-founder and the CEO of RIPS Technologies... Read More →